[LWN Logo]

Date:         Tue, 9 Nov 1999 15:09:39 -0800
From: Jeff Bilicki <jeffb@COBALT.COM>
Subject:      [Cobalt] Security Advisory - cgiwrap
To: BUGTRAQ@SECURITYFOCUS.COM

Cobalt Networks -- Security Advisory -- 11.09.1999

Problem:
The current version of cgiwrap that runs on RaQ 2 and RaQ 3i, runs under
incorrect effective permissions, which could let a malicious site-admin
view or modify data in another virtual site on the same unit.

Description:
Thanks to Chris Adams <cmadams@hiwaay.net>

Chris Adams wrote:
>There is a problem (actually several) with the "cgiwrap" program on
>Cobalt RaQ2 servers.  It is supposed to run CGI programs as the proper
>user instead of "nobody" to make CGIs a little more secure.
[SNIP]
>The bigger problem is that cgiwrap apparently interprets top level
>directories of the site /web directory as users.  So if you have a CGI
>in a directory like /home/sites/site1/web/test/test.cgi and attempt to
>go to it at http://www.site1.com/test/test.cgi AND there is a user on
>the system named "test", cgiwrap thinks it should run the script as user
>"test".  It then actually attempts to run a script in /web directory of
>the user "test".
[SNIP]

Cobalt Networks is dedicated to providing secure platforms.
Accordingly, we have just completed a fix for this bug that is available
in RPM format, which can be found at the following locations:

RaQ 3i (x86)
RPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-pacifica-3.6.4.C5.i386.rpm
SRPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-pacifica-3.6.4.C5.src.rpm

RaQ 2 (MIPS)
RPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-raq2-3.6.4.C5.mips.rpm
SRPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-raq2-3.6.4.C5.src.rpm


MD5 sum                          Package Name
--------------------------------------------------------------------------
701b43ba607edee44c684ac2d428e710 cgiwrap-pacifica-3.6.4.C5.i386.rpm
41b7277afefb199c01a212dc86dab05b cgiwrap-pacifica-3.6.4.C5.src.rpm
0484a11647a3700fa0b9afe431c55d19 cgiwrap-raq2-3.6.4.C5.mips.rpm
5f3b483c352d25b3b11d266811e8b933 cgiwrap-raq2-3.6.4.C5.src.rpm

You can verify each rpm using the following command:
rpm --checksig  [package]

To install, use the following command, while logged in as root:
rpm -U [package]

The package file format (pkg) for this fix is currently in testing, and
will be available in the very near future.


Jeff Bilicki
Software Engineer
Cobalt Networks
jeffb@cobalt.com